Exploit reporting stats

Posted by & filed under Second Life.

On the Linden Blog, Brent Linden discusses the experimental exploit-reporting system launched in the wake of Cristiano Midnight’s discovery of (and subsequent suspension for publicizing) an exploit in which it was possible for any user to do Very Bad Things.

Under the experimental system, Brent is now paged every time someone used the SL bug report tool (Help > Report Bug) to report a bug flagged with “Exploit”. However, as he notes:

Since introducing the new Exploit hotline to Brent Linden, we’ve gotten 55 bugs marked ‘Exploit’ and only 6 have actually been issues considered exploits.

He goes on to list some of the examples of reports that Linden most definitely does not consider worth waking him up at 3am. Interestingly, a couple seem to actually be the result of honest confusion about a difficult-to-use feature, and not just ignorance on the part of the senders: “It says my parcel is full! 367/367 prims! This is an exploit, right?”

Ezhar Fairlight, Close Personal Friend to the management here at Omega Point, contributed this bit of smartassery:

So what you are saying is that whenever somebody files a bugreport under the category “exploit” you get alerted immediately? Isn’t that exploitable by itself? It leaves you vulnerable to a DoS attack on your sleep and thus your work performance. You should fix that exploit. Shall I file an exploit report about it? :)

Yes, good work, Ezhar. That will undoubtedly be much appreciated.

Sally Linden on the “Residents” statistic

Posted by & filed under Second Life.

On the Linden Blog today, Sally Linden writes:

There has lately been much confusion and speculation surrounding the “Residents” statistic on the home page of http://secondlife.com. This post is an effort to clear that up.

She goes on to say:

…there was an internal conversation about the number we were reporting, what the Residents thought it represented, and how we could be more transparent. The number that is currently on our home page is a time-weighted average between “total number of signups ever” and “total number of logged in users over the last 60 days”. As of right now, those numbers are 493,563 and 225,028.

And most usefully:

We plan to change the home page to display those two numbers separately. At that time the current “Residents” number will be removed. This change should take place sometime next week.

I’d really be interested in seeing the total number of successful unique logins in the previous 24 hours as well. We’ll see what the response is.

NY Times on AOL search log leak

Posted by & filed under Privacy.

The New York Times describes how they identified a woman from Lilburn, Georgia based on her sort-of/maybe/accidentally leaked-on-purpose-but-it’s-for-researchers– and-also-those-responsible-have-been-sacked AOL search data. They imply that this was due to clever legwork and don’t actually say that she typed in her Social Security number, but there are certainly plenty of examples of searchers who did.

And finally, because you’re apparently supposed to do so in news articles and blog posts about this leak, here are some entertaining searches to amuse yourselves with while condemning AOL for having invaded these people’s privacy:

Between 9:15 and 9:40 AM, user 12276808 searches for:

  • ejaculator
  • ejaculator vacuum
  • milk machine
  • milking devices
  • cow milking devices

User 2643851 searches for:

  • hotmail.com
  • car parts
  • effect of eyewitness testimony on wrongful convictions
  • the eyewitness laboratory department of psycology university of texas at el paso
  • the american psychology association
  • sexy girls
  • google

And finally, the smug, leaked-data-referencing closing statment: That last search may have been a better option.

Miguel de Icaza on the LSL-to-Mono port

Posted by & filed under LSL.

Mono project founder Miguel de Icaza writes about Linden Lab’s presentation at Lang.NET 2006 in which Cory and Babbage Linden described the upcoming move to the Mono CLI.

The challenge is to stop and save a running script. This is something that is relatively easy done with their scripting language, but it becomes trickier with the CLI.

Their implementation instruments the generated CIL assembly to allow any script to suspend itself and resume execution on demand. This is a bit like continuations, the main difference is that the script does not control when it is suspended, the runtime does. The instrumentation basically checks on every back-branch and on every call site whether the script should stop (in Jim’s words, “eventually, you run out of method, or you run out of stack”) and if it must stop, it jumps to the end of the method where a little stub has been injected that saves the state in a helper class and returns.

A very clever idea. Hopefully the slides for the presentation will be posted soon.

I’d very much like to have attended that presentation, and I’d be interested in seeing those slides as well.

Following my attorney’s advise I have obtained a Second Life account.

Welcome to Second Life, Miguel!

(Link stolen from Baba Sucks.)

Verified Accounts and Trust Metrics — Part 1

Posted by & filed under Second Life.

Part 1: International Users

Two months ago, Second Life creator Linden Lab removed the credit card requirement from the account creation process, allowing users without a credit card to join SL for the first time. While the move was met with alarm and opposition among many members of the SL community, it was part of an ongoing plan to open access to Second Life, a plan which has been opposed by many vocal residents at nearly every step of the way, their outrage then forgotten as the next phase has been unveiled.

In a blog post shortly after the initial announcement, Community VP Robin Linden attempted to explain Linden Lab’s position, rationale and intended security measures, addressing the general opinion among the Second Life forums’ users. Forums being what they are, she was likely only partly successful in getting this message across to Second Life’s vocal minority.

Regardless of resident opposition, the policy was changed, and registration was opened up to everyone. With broadband. And a fast computer. And adequate manual dexterity. And who could communicate in English to some degree. So while perhaps not the vast majority that the most optimistic people predicted, it was certainly about to become more accessible to users outside Canada, the US, Australia and the UK, thus fitting in with Linden’s plans to expand Second Life’s user base into Asia and Europe.

So, after two months of open registration, has Linden Lab’s plan been successful? Obviously, with Japanese and Korean job postings on Linden Lab’s employment page, and the recent move to an XML-based client UI –allowing for the simple production of translated clients– we can assume that the “Open SL” master plan is not yet completed.

But what has transpired in the interim? According to Chromal Brodsky’s Second Life Population Statistics site, the number of total accounts has jumped sharply since registrations were made free in April, and mandatory account verification was removed in June, with over 370,000 accounts registered as of this writing. However, as Chromal’s site indicates, the growth of peak concurrent logins over the last year is barely even perceptible as a curve.

We can interpret this discrepancy in several ways, all of which are likely involved to varying degrees:

  • That far more alt accounts are being made and not used concurrently with the existing resident’s main account.
  • That peak concurrent logins have been largely unchanged, due to the demographics of Second Life’s user base. This means the number only reflects peak logins for North Americans. While anecdotal observations indicate Europeans and South Americans are now joining SL in vastly increased numbers, Chromal’s graphs don’t currently indicate whether or not there are more unique logins per day, nor whether logins are higher at typically peak hours for users from other time zones.
  • More users are creating accounts, but are not able to run the client.
  • More users are successfully creating accounts, but do not use SL as frequently as typical active users do. This may be due to several factors:
    • Users who may not otherwise have cared enough to try SL are joining, but use SL more casually.
    • Non-English-speaking users create accounts, but do not find enough people that speak their language to interact with to make them want to stay as long.
    • New residents percieve SL’s value as being lower. If someone pays $10 for an account, they will likely think of it differently than if they give a credit card number, or than if they do neither. This behavior may also be due to the sunk cost fallacy: if the $10 registration cost can be viewed as an investment, someone may still want to use SL to “get their money’s worth”. They may be less willing to do this if the account hasn’t actually cost them anything.

Hard data aside, what anecdotal evidence is there to support an increase in the number of international users?

As a longtime member of the Second Life Mentor group, I’ve taught classes, answered questions, mostly about scripting, and generally been subject to much Mentor group IM spam. Since the removal of credit card verification, I’ve noticed a huge increase in the number of requests for assistance on Help Island, the “wading pool” SL newbies can use to get their bearings for a few minutes or a few days before taking the plunge to the big kid pool of the mainland. These are now mostly requests for translators who speak Spanish, Turkish, Russian, or a dozen other languages.

While obviously I’m not privy to the specific numbers, the fact that the bulk of Mentor IM seems now to be requests for multilingual mentors effectively demonstrates that the removal of credit card verification has succeeded in at least one of its goals, and one I wholeheartedly support.

Update, August 7, 6:15 PM: Chromal has graciously provided all available data from the past 13 months, and notes that while the peak concurrency rate has risen from 2127 in June 2005 to 8357 in August 2006, the minimum concurrency rate has risen from 647 to 3671 in that same period.

The maximum number of concurrent logins is 3.93 times higher than it was 13 months ago, while the minimum is now 5.67 times higher. Interesting stuff.

Verified Accounts and Trust Metrics Part 2: What Went Wrong?


Posted by & filed under Omega Point.

Welcome to Omega Point, a pretentiously-named blog about virtual worlds, the evolution of the metaverse, and the Singularity.

I’m Catherine Omega – and yes, that’s a pseudonym. It’s not much of a pseudonym though, if that helps. If you’re a user of Second Life, you might have heard my name, perhaps even favourably. If you’ve ever scripted anything in Second Life, you almost certainly know who I am. If there aren’t any other posts on this blog yet, you definitely do.

The first rule of learning about Catherine Omega: Don’t google Catherine Omega. Google is full of pernicious lies and misquotes. Really. That, and stuff that’s accurate and that you should ignore as well. There’s also a video. Don’t watch that either.

That said, I’m one of the oldest residents in Second Life. I co-founded and continue to edit the LSL Wiki, an accomplishment that means absolutely nothing outside the Second Life scripting community. Because of these two facts, I have at times been mistaken for an authority on certain topics, which is why I was nudged into starting a blog in the first place.

So here it is.